Threat Intelligence Blog

Your Account Credentials Were Sold on the Dark Web… Now What?

By Emilio Iasiello, LookingGlass Cyber Threat Intelligence Group

Cyber criminals continue to evolve their operations, seeking more effective ways to exploit and monetize the information they steal from organizations. Large data dumps provide such an avenue as the data harvested can be leveraged to exploit other online accounts that the victims have, potentially providing criminals other areas to further abuse for their illicit economic endeavors. A recent report by a security vendor revealed that the five most common items for sale in the cyber crime underground include stolen generic credentials, stolen identities complete with passport and/or financial information, intellectual property, supply chain threats, and hacking tools.

To a cyber criminal, every bit of data provides the potential to make money. It’s not just account information that’s important, but also seemingly innocuous information such as your middle name or model of your first car, could be leveraged for compromises. In this regard, data dumps provide a wealth of information from which an innovative criminal can continue to reap benefits.

A data dump is the major output of data that can help users to either back up or duplicate a database. In the criminal sense, it refers to when a hostile actor gains unauthorized access to a target enterprise, steals a large volume of sensitive company or customer data, and makes it available for free or purchase in the global cyber criminal underground. Such information can be monetized for sale to other hostile actors seeking to conduct criminal operations such as identity theft, or leverage the information to conduct other attacks.

The type of information in a data dump generally consists of personally identifiable information (PII) such as names, addresses, and social security numbers, as well as financial and healthcare information. All of this information can either help criminals make money or conduct further attacks. Other information that is often released includes e-mail addresses, usernames, and passwords (sometimes plaintext, sometimes a non-salted weak algorithm).

The sale and exchange of information gathered from data dumps is the backbone of underground markets. This data is not exclusive to any one industry vertical. Large amounts of data dumps have been observed in the criminal underground taken from both private and public sectors. There have been some very notable data dumps; for example, the recent Panama Papers incident, Ashley Madison, LinkedIn, and WikiLeaks, to name a few.

Data dump information can vary in price, with larger data dumps averaging out to fractions of pennies for each record. However, actors able to provide “fullz” – underground market slang for full information of the victim – name, address, credit card information, social security number, date of birth, and more – is worth more than limited victim information. The more information on the victims, the more criminals are able to exploit them, and in turn, the more money a seller can earn.

In 2015, “Fullz” credentials yielded anywhere from $30 – $50 per record, a price subject to change based on the supply and demand of the market to which it’s catering. Criminals cash out “fullz” in several different ways such as using a bank’s telephone service while posing as the victim, doing a “change of billing” and ordering credit cards, and applying for loans, according to one security website.

An important takeaway is that cyber criminals are continuously seeking ways to leverage all of the information contained in a “fullz” for monetization. Considering that individuals have a habit of reusing passwords across all their various accounts, it’s little wonder why “fullz” information may be seen as more valuable, particularly as it may offer criminals the opportunity to exploit other online resources for which those individuals have accounts. In fact, this is what happened recently to Facebook’s CEO who reused a password for his Twitter and Pinterest accounts.

Additionally, information that is not immediately leveraged or seen as “useful” can be sold to other types of criminals. According to researchers, information pulled from a “fullz” can help create identity kits, passports, fake drivers’ licenses, and fake utility bills. These counterfeit documents can help someone commit other forms of criminal activity.

While individuals cannot deter cyber criminals from targeting them, there are some ways that they can be proactive in making it more difficult for these threat actors to succeed.

Do not re-use passwords for online accounts. A password manager allows you to create multiple unique passwords and you don’t have the burden of memorizing them. These programs also have an analysis feature that reminds you to change passwords after a certain amount of time.

Frequently change passwords. Related to our first tip, users should consider changing passwords quarterly, if not more often, in order to stay ahead of potential breach activity. If a breach includes a user’s password, all passwords for all online accounts should be changed promptly. Additionally, if you learn of a website, app, or other account you utilize has been breached, change your password immediately.

Use multi-factor authentication. If someone does steal a password, multi-factor authentication enables the provider to transmit the secondary means of authentication to another device, such as a text message, email, or phone call. It’s difficult for the bad guys to access both parts of a multi-factor authentication process.

Identify theft protection. It can be difficult to manage professional, personal, and online activities. Identity theft protection can provide some level of credit monitoring.

If you have been notified that your personally identifiable information (PII) might have been compromised, there are chances that your data has already been, or is going to be, sold on the Dark Web. While you may not have been a victim, here are some precautionary steps you can take:

Cancel your debit and credit cards. Then ask for a reissued card. If a debit card is involved in a breach, there is almost no way for you to get your money back. If you don’t believe you were a victim and don’t want to cancel your cards, monitor your account for any suspicious activity.

Change login credentials for most – or all – of your accounts. This is especially important if you have re-used usernames and passwords (as mentioned above).

Issue a fraud alert or security freeze for your Social Security number (SSN). Take this step if you believe your SSN has been compromised. This will help with identity theft and will alert credit bureaus that you may have been a victim of fraud.

For organizations, data breaches and data loss can negatively impact business operations, as well as brand image. As such, organizations should develop and exercise response plans in order to minimize damage as quickly as possible. Response plans need to be practiced and ready for execution at any time. Maintaining resiliency in the wake of breaches is important for organizations in order to preserve business operations. There are several types of response plans such as incident response, data breach response, and IT recovery. Organizations need to be able to assess a breach’s impact, notify key stakeholders such as law enforcement and third party partners or vendors, and have a communications strategy in place for both customers and the public at large.

Contact LookingGlass today to see how our threat intelligence services can protect you and your organization from data dumps and a wide range of other online risks.